Office365 MFA vs 2FA

  • I was hoping someone can explain the difference between MFA and 2FA. I was setting up a client with a new O365 account today and came across the requirement to setup MFA on their phones or skip for 14 days. The process then take you to a website to download the Microsoft Authenticator app and jump through more hoops. If I disable MFA and try to use 2FA on their phones with application passwords, I am able to connect but then their email receives something along the lines of their account has been blocked by the administrator.

    Am I correct in saying that MFA is the new 2FA and the old 2FA can no longer be used or is being phased out? This whole setup was the worst I've ever dealt with.

    I was also seeing forums mentioning that Microsoft is kind of forcing users to use Outlook on their mobile devices instead of the built in mail apps.

  • 2FA is really no longer a thing (if I'm understanding what you're talking about). MFA is the means for utilizing additional means of authentication. MFA is a superset of 2FA. If you disable MFA then you're disabling 2FA effectively.

  • @Kelly said in Office365 MFA vs 2FA:

    2FA is really no longer a thing (if I'm understanding what you're talking about). MFA is the means for utilizing additional means of authentication. MFA is a superset of 2FA. If you disable MFA then you're disabling 2FA effectively.

    I was just really confused by the whole delivery of this setup. I have configured and migrated to a ton of O365 setups and something was just unnecessarily difficult with this one. I understand now that the newer versions of Outlook support MFA and connect much easier than say an iphone. On the iphone, it would redirect and tell the user they have 14 days to setup MFA. If you proceed with setting up MFA the user has to download the MS Authenticator app and then flip back and forth to add their code and copy and paste a url. The redirection asks they scan the bar code but can't really scan a bar code on the screen of the device you are setting up. I assume the proper way to set with up would have been to have the user login to a computer first and get their authenticator setup before adding the account.

    I agree that multifactor should be used but if they are going to require it by default, there should be a better way to get the users setup.

  • I just felt like the average user would need a lot of hand holding to get this setup. I was struggling mostly because I was unaware that this was the default setup on new accounts now.

  • Ok this is all over the place, so let's try to start at the beginning.

    • Although MFA and 2FA technically have some differences, for the sake of this conversation they're essentially the same thing.
    • In order to use MFA, you require 1) Apps which support Modern Authentication or 2) App Passswords. App Passwords are essentially a workaround to not having compatible software (old Outlook clients) so that you can have MFA enabled.
    • The key to successfully using MFA is what's referred to as Modern Authentication. This is enabled by default in new tenants since 2017 I believe. If your tenant was created before this time, then you need to manually enable it in your admin center.
    • Outlook on mobile is the required/recommended app because up until recently, it was the only one along with standard iPhone Mail app which supported Modern Authentication. Therefore, if you wanted to be able to generate the MFA code via SMS or Authenticator app, you would need to use Outlook for mobile. I believe GMail now supports it as well as of recently. All other standard e-mail apps for Samsung and other devices currently do not support Modern Authentication.
    • To my knowledge, MFA isn't enabled by default in tenants so someone has triggered this for your users inadvertently, possibly by enabling what's called Security Defaults. People probably shouldn't enable things they don't understand the full extent of what they do. That would also explain why users trying to use App Passwords on their phones are getting blocked because I believe Security Defaults disables Basic Authentication, which is what these other e-mail clients are using.

    Steps to take:

    1. Check to see if someone has enabled Security Defaults. Check here for more info on what it is and how to enable/disable it. If it's enabled, considering disabling it for the time being to get everything back working as you're used to.
    2. Ensure that Modern Authentication is enabled in your tenant. Check here for info about that.
    3. You need to eventually get to where you're only using Modern Auth and MFA, so you do need to block Basic Authentication (which will happen automatically next year. It was postponed due to Covid-19). Review which devices are still using apps that don't support Modern Authentication via Azure and work to get those users onto apps that are supported. Check here for details.
    4. Once you've moved everyone to compatible apps that support Modern Auth, you need to disable Basic Auth. Steps can be found here to do so. Without this step, MFA is near useless because Basic Auth methods bypass MFA and so attackers can still breach your accounts.
    5. Now that you've done all this, you need to review MFA policies and setup how you want your users to be able to receive their codes whether Authenticator app, SMS, phone call, etc. Once you've decided these things, you can go in and enable MFA for individual users to get a feel for the process before you roll out to others. This gives you the ability to generate some documentation that will make it easier for others so that they know what to expect.

    All of this isn't overly complicated, but it does take some additional planning up front. Hopefully that helps alleviate some confusion.

  • @zachary715 - I appreciate the very detailed response. Definitely answers a lot of the questions and issues I ran into today.

    One thing I noticed is that the internal users in the office logging in on their computers were forced to enter cell phone numbers upon their initial login. The external service techs that only use their cellphones were not given this option upon their initial sign in to email. The techs were only given the option to use MS Authenticator which caused a lot of confusion. While I know the authenticator app is more secure, it would have been nice if they had been prompted to add their cell phones numbers in order to provide 2fa over sms. Really without being in front of a desktop during your initial user setup, setting up the authenticator from a cell phone is a little bit of a nightmare for a typical user. I know they can hop back and forth between apps to copy and paste but these are not tech savy users. Ultimately I ended up having to set everyone's devices up for them which was a pain. I did find out after the fact that I can enable phone as one of the MFA options.

  • @zachary715 - So when I setup users with MFA enabled and connect them to Outlook 2019 (365), I assume you cannot use the app password with Modern Auth enabled. What is the best method for connecting Outlook without having to constantly enter a sms code or using the authenticator?

  • I'm not totally sure if an app password is still usable with Modern Auth or not. It sort of defeats the purpose. If you don't want to have to constantly enter the MFA code, you have a couple of options.

    1. Enable the setting that allows trusted devices to remember authentication up to 60 days before prompting again. This reduces it, but still requires users to from time to time verify their session.
    2. Enable the Trusted IPs setting for your office to make it so that if users are authenticating from a public IP you specify, it doesn't prompt for MFA. Anything outside that IP does prompt for MFA. I haven't tested this specific setting, but this is how I understand it to work. Not sure if any additional licensing is needed. More info about these first two items found here
    3. Setup Conditional Access policies that further specify when MFA is and isn't required. This is the ideal solution, but requires additional licensing with at least Azure AD P1 or M365 Business Premium. With Conditional Access, you have a lot of additional controls over these things. More info on Conditional Access here.

  • @zachary715 - Again thank you for the the info. My concern is that the users will have to constantly keep re-authenticating their Outlook on their work desktops which would be a pain. One laptop I setup was asking for credentials 15 minutes after I set it up. I was nervous thinking that all the systems were going to do this but I think it was isolated to that one system.

  • Yeah that shouldn't happen. First thing to check on that would be to ensure there were no saved credentials in Windows Credential Manager that may be trying to conflict. Otherwise, that sounds like a fluke issue and not something normal.

Log in to reply